Slashdot Mirror
Symantec Posts Fix To Vulnerability
An anonymous reader writes "Just a few days after it was discovered, Symantec has posted a fix to a critical flaw with its Antivirus software." From the article: "The eEye digital security firm reported the problem initially, and discovered it was present in the newest versions of the affected Symantec products. Further research noted by Symantec described the problem as a flaw that made the products vulnerable to a stack overflow. Once exploited, that overflow could have permitted an attacker to execute code on the machine, with System level rights. The issue was made worse by being one that impacted enterprise-level customers, big spenders that purchase hundreds or thousands of licenses depending on the size of the business. "
Just a few days after it was discovered, Symantec has posted a fix to a critical flaw [CC] with its Antivirus software.
So how long after they confidentially reported the problem to Symantec (as I'm sure they did) did it take them to fix it?
Patched or not, the information presented here and in the pages linked therein make it clear that -- until all machines are patched -- there is a distinct possibility of an exploit getting through. To that end, I have no doubt some groups have been hot on the issue looking for the hole.
The same page ^^^ implies that symantec released IPS signatures for their products. With that said, do any signatures exist for other IPS/IDS solutions (snort, etc) ? If so, I would very much like to utilize them until any possibility of a threat has passed.
Yes, of course even in memory safe languages (Java, Python, etc) something somewhere needs to have memory access. That thing is the VM/interpreter. Fortunately there are very few areas of code in the VM that need to have memory access, so if you make those correct, then you can write a million lines of application code and know that there aren't any overflows in it.
-------------
Carry a concealed weapon in California
Their reputation as an anti-virus provider used to be second to none, now after bloated software and software bugs a lot of people are having second thoughts.
I think they need to go back to square one and develop a product that is not going to give them a bad reputation if they want to stay competitive.
After working with a lot of other anti-virus packages and seeing how un-invasive a good anti-virus package can be I refuse to use Symantec products anymore and to my clients I strongly recommend them change products when their license is up for renewal.
If it wasn't for Symantec bundelling their software with OEM's I wonder how much of an impact they would have? Most uneducated people I do work for think of all anti-virus as "Nortons" and are amazed at how much their system performance improves when I replace it with something else.
They used to have some good products 10 years ago, but I haven't seen a decent anti-virus release from them for a long time now.
For the curious: The reason they point out that this is a stack based BoF is because stack addresses are easily predictible, while heap addresses are not. So stack based overflows are much easier to write exploits for.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Yes. Memory-safe languages running inside a VM is exactly the kind of languages that I'd choose to write antivirus software.
After all, antivirus are not the kind apps that make your computer to underperform by a great margin, and they don't eat too many resources. Absolutely everything in software is about the algorithms, isn't it?
Seriously, Nod32 owns... owns, owns, owns.
w ww.av-comparatives.org/seiten/comparatives.html
Kaspersky is pretty good too.
But who in their right mind, that knows *anything* about security, uses Symantec or McAfee anti-virus products?
Check out these: http://www.av-comparatives.org/index.html?http://
And if you have a VirusBtn login, the 100% awards are alright indicators of virus scanner quality, but nowhere near as good as av-comparatives IMO.
http://www.angryburrito.com/ The best, completely unfinished software review site ever.
Was a time where we used the term "virus" to refer to a self replicating piece of code that didn't rely on exploits to move around. We used the term "worm" to refer to code that did rely on exploits. So even in the most secure operating environment you could still have a virus, but you couldn't have a worm. Of course, now-a-days everyone refers to viruses as worms and worms as viruses. As long as the operating system is performing actions on behalf of the user you will have software that does what the author wants but not what the user wants. The only real way to stop that is to make the user do everything themselves.. that is, it's completely impractical to stop. Stop-gap measures like virus/worm/spyware/malware detection, quarantine and elimination will always be necessary to mitigate the damage these nasties can do.
How we know is more important than what we know.
Vulnerabilities in security software make me think of those dialogs between the Tortoise and Achilles -- particularly the one where the Tortoise and the Crab are developing ever more fancy record players. The Crab keeps getting nicer record players and the Tortoise keeps giving him records that induce fatal resonance in some mechanism of the record player...
in GEB it was a parable about the Godel incompleteness theorem -- and, of course, designers of security software would do well to think carefully about it...
That same time, we called those who penetrated systems as Crackers, and those who wrote amazing code Hackers. Steven Levy wrote about them.
It was a nice time.
ttyl
Farrell
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
Especially antivirus software that intercepts kernel hooks....
//Information does not want to be free; it wants to breed.